Mythbusting: DevOps and Security

Image: CJ Schmit/Flickr

There is a lot of noise around DevOps right now with pundits calling it the next great IT “movement.” DevOps represents the integration of development, IT operations, security, and quality assurance (and some even saying, sales and marketing), under a single automated umbrella. This radical new paradigm has security practitioners asking whether DevOps could kill information security as we know it. Here’s the punch line: yes, it will, but it’s not what you think.

Ultimately, DevOps will turn the IT business model on its head with shorter cycle times, automation, and deep cross-functional integration to deliver the next great idea.

Increasingly, organizations are adopting this new model to streamline the development process by combining multiple steps into a single, automated process — this is the essence of DevOps. IT pros from all areas working together from the beginning to dramatically reduce the time to release a product. Instead of security continuing to exist as a standalone, isolated entity, DevOps will integrate security into IT processes from inception.

The Security Piece of the DevOps Puzzle

The idea that there’s no place in DevOps for security is a myth. DevOps integrates a number of functional areas, including security, into the final work product. The major difference in this new DevOps-oriented world is that everyone’s input is brought in earlier and then automated to ensure short, predictable release times and quality. While DevOps is a powerful paradigm shift, companies often don’t understand how security fits.

The DevOps movement is driving a number of misconceptions or myths around security that I feel are worth debunking. So let’s do that here: we’ll play myth buster!

Security can’t fit into DevOps – DevOps is actually a boon for security folks, who can, with the right automation and operational tools, inject security earlier into the development process, and increase the security of the code that ultimately reaches production.

Configuration management tools are the DevOps cure all – Automation tools like Chef and Puppet are excellent for deploying and redeploying an application or configuration to a host. However, they are simply not capable of providing the kind of security analysis, monitoring, and assessment that a security professional can, nor are they designed for the kind of ongoing management of a system that is needed to ensure reliability over time.

Adopting DevOps eliminates the need for security experts – Most developers are not security experts. Security experts are needed now, more than ever, to partner with the other skill areas, and ignoring this is a great way to become the next hacker conquest.

Enterprise and DevOps are like oil and water – Enterprises can work with DevOps — just look at how the enterprise has embraced Agile methodologies. It’s the same here. DevOps is about reducing time to market, while maintaining quality, reliability and security: that’s something all businesses desire.

If we can do DevOps, we can do ‘SecOps’ – Changing the name, and assuming security is still its own functional area but just using DevOps principles misses a core point of DevOps — cross-functional integration. Security experts should seek to partner with the rest of the organization, and do so from the beginning of the development process.

Just as operations, quality assurance and developers have had to adjust to a brave new world, where there’s an expectation of automation of work as a matter of course, security practitioners will also need to adopt this new paradigm.

Security folks should take heart though; embracing DevOps could translate into far greater impact than in the past. For example, they could:

Inject code analysis tools into the development process, and enforce fixes prior to deployment

Automate attacks against pre-production code, and prevent that code from reaching production if they’re successful

Continually test the production environment for weaknesses in an automated fashion

Embrace next generation automated security tools to secure their enclave

For years, security pros have dreamed of introducing security earlier in the development process — largely because they know that the earlier security is introduced, the more likely the product will withstand attack. DevOps provides a critical opportunity to realize this dream and not only streamline development, but improve security. And, that’s no myth.